[All About Switches] 15 VLAN Communication

The previous two issues describe VLAN basics and VLAN assignment.After VLAN assignment is performed, users in the same VLAN can communicate at Layer 2 and users in different VLANs are isolated at Layer 2. In some scenarios, users in different VLANs need to communicate. How is this requirement met?

A VLAN is a broadcast domain, and data packets between broadcast domains are relayed by routers. Inter-VLAN routing is often used for communication between VLANs. A common router or Layer 3 switch can be used to implement inter-VLAN routing. Later, I will describe how to use a Layer 3 switch to implement inter-VLAN communication.

Scenario 1: Hosts on different network segments in different VLANs need to communicate and are connected through a Layer 3 switch.

Technology: VLANIF interface

Principle:Inter-VLAN routing must be created to implement inter-VLAN communication. Hosts are directly connected to the Layer 3 switch in this scenario. You only need to configure direct routes. The VLANIF interface is a Layer 3 logical interface. After an IP address is assigned to the VLANIF interface and used as the gateway address of hosts, a direct route is generated on the Layer 3 switch. The switch uses the VLANIF interface to send packets from different VLANs at Layer 3.

Tip: Only a direct route is generated for the VLANIF interface, that is, only neighboring devices can communicate. On the live network, multiple Layer 3 switches (such as Layer 3 network) may be deployed between hosts. In addition to configuring the VLANIF interface, you need to configure static routes or routing protocols to implement interworking.

Scenario 2: Hosts on different network segments in different VLANs need to communicate and are connected through a Layer 2 switch. Only one Layer 3 switch is used to implement inter-VLAN communication.

Technology: sub-interface, also called router-on-a-stick

Principle:Similar to a VLANIF interface, a sub-interface is also a Layer 3 logical interface. After the sub-interface's IP address is configured as the gateway address of hosts, a direct route is also generated on the Layer 3 switch. Then packets in different VLANs are forwarded by the sub-interfaces. For example, the user gateways in VLAN 2 and VLAN 3 are Port1.1 and Port2.1.

Tip: The sub-interface can implement Layer 3 interworking and reduce the number of physical interfaces. There are communication bottlenecks when the network is busy because outgoing traffic preempts the bandwidth of the physical interfaces.

Scenario 3: Hosts on the same network segment in different VLANs need to communicate.

Technology:super-VLAN, also called VLAN aggregation

As shown in the following figure, due to finite IP addresses, hosts in different VLANs share the network segment. The hosts need to communicate with each other and access the external network.

Principle:Define the super-VLAN and sub-VLANs. A super-VLAN is used to create a Layer 3 VLANIF interface and contains no physical interface. A sub-VLAN contains only physical interfaces, and no VLANIF interface is created in a sub-VLAN. Sub-VLANs are used to isolate broadcast domains. A super-VLAN can contain one or more sub-VLANs.

Each common VLAN can contain a Layer 3 logical interface and several physical interfaces; however, super-VLAN technology differentiates them. A sub-VLAN corresponds to only physical interfaces and reserves its independent broadcast domain; a super-VLAN allows all its sub-VLANs to share the same Layer 3 interface so that hosts in sub-VLANs can share the same gateway. The Layer 3 logical interface is associated with physical interfaces through the mapping between the super-VLAN and sub-VLANs. Super-VLAN technology provides functions of common VLANs and saves IP addresses.

Tip: Communication between hosts in sub-VLANs and external devices is similar to communication using the VLANIF interface. The difference is that the switch needs to search the mapping between the super-VLAN and sub-VLANs. Proxy ARP needs to be enabled to implement communication of hosts between sub-VLANs. Why? This is because hosts in a sub-VLAN share the same gateway. The hosts can only forward packets at Layer 2, but cannot implement Layer 3 forwarding through the gateway. Hosts in different sub-VLANs are isolated at Layer 2, so proxy ARP is required to implement communication between sub-VLANs.

In the preceding networking, hosts between VLANs can communicate with each other at Layer 3 through the Layer 3 switch. The switch needs to search for the routing table to implement Layer 3 interworking, so the forwarding efficiency is low. The Layer 2 forwarding efficiency is high. Can Layer 2 interworking between VLANs be implemented?

VLAN switch or VLAN mapping can be used to implement Layer 2 interworking between VLANs.

Scenario 4: Hosts in different VLANs are connected through one or more switches.

Technology: VLAN Switch

Principle:A static forwarding path (that is, VLAN switch table that defines VLAN IDs before and after VLAN switch and outbound interface) is predefined on each switching node (switch in the figure). The switch changes VLAN 2 in packets received by Port2 to VLAN 3 and sends the packets from Port3, and changes VLAN 3 in packets received by Port3 to VLAN 2 and sends the packets from Port2. In this manner, Layer 2 interworking between VLAN 2 and VLAN 3 is implemented.

Tip: The switch searches for the VLAN switch table but not the MAC address table, so the forwarding efficiency of VLAN switch is high. Can VLAN switch be applied to many networks? No, VLAN switch cannot be applied to many networks. This is because a static forwarding path needs to be configured for each VLAN user on each switching node along the path where VLAN packets pass. When there are many VLAN users or devices are connected across the ISP network, VLAN switch is inapplicable.

Scenario 5: Hosts in different VLANs are connected across the ISP network.

Technology: VLAN mapping

Principle:VLAN mapping needs to be configured on devices at both ends (SwitchA and SwitchB in the preceding figure), but the outbound interface does not need to be specified. After SwitchA receives packets from VLANs 10 to 50, it maps VLANs 10-50 to VLAN 100. SwitchA searches for the MAC address table and finds that VLAN 100 corresponds to Port2. When packets from VLAN 100 reach Port2 on SwitchB over the ISP network, SwitchB finds the outbound interface of Port1 for sending packets from VLAN 100. SwitchB maps VLAN 100 in packets to VLANs 60-90 before sending the packets from Port1. Then the packets reach the destination host through the access switch of branch 2.

VLAN mapping only needs to be configured on devices at both ends, and the configuration on the ISP network does not need to be changed.

Tip: VLAN mapping greatly simplifies the configuration. The switch enabled with VLAN mapping needs to search for the MAC address table, so the forwarding efficiency is low. In addition, broadcast storms and MAC address attacks may easily occur.

I will introduce the commonly used technology, VLANIF interface.

Configuration Case 1: As shown in the following figure, PC1 belongs to the R&D department and PC2 belongs to the quality department. The two departments are connected through one Layer 3 switch and have service exchange requirements. Layer 2 isolation and Layer 3 communication are required.

Configuration Roadmap

The configuration is simple. You only need to add interfaces connected to PCs to VLANs, create VLANIF interfaces, and configure IP addresses of VLANIF interfaces as the gateway addresses of PCs.

Procedure

lConfigure the switch.

#

sysname Switch

#

vlan batch 10 20

#

interface Vlanif10

ip address 10.1.1.1 255.255.255.0//Configure the IP address as the gateway address of PC1.

#

interface Vlanif20

ip address 10.1.2.1 255.255.255.0//Configure the IP address as the gateway address of PC2.

#

interface GigabitEthernet0/0/1//Add PC1 to VLAN 10.

port link-type access

port default vlan 10

#

interface GigabitEthernet0/0/2//Add PC2 to VLAN 20.

port link-type access

port default vlan 20

#return

After the configuration is complete, run the display ip routing-table command to check routes on the device.

In the routing table, there are direct routes to the network segments of VLAN 10 and VLAN 20. Then check whether PC1 and PC2 can be pinged.

Before verification, set the IP address of PC1 to 10.1.1.2 and its gateway address to 10.1.1.1/24; set the IP address of PC2 to 10.1.2.2 and its gateway address to 10.1.2.1/24. Then perform the ping operation.

The ping operation is successful, that is, the configuration is successful.

Configuration Case 2: As shown in the following figure, a VLAN is dedicatedly assigned to the server to ensure security and facilitate management. Hosts belong to VLAN 10 and the server belongs to VLAN 20. The access, aggregation, and core switches are deployed between hosts and the server. The access switch is a Layer 2 switch, and aggregation and core switches are Layer 3 switches. Host and the server need to communicate with each other.

Configuration Roadmap

Multiple Layer 2 and Layer 3 switches are deployed between hosts and the server. You can configure VLANIF interfaces, and use the AGG (aggregation switch) as the gateway of hosts and CORE (core switch) as the gateway of the server. The VLANIF interfaces can be used to implement only interworking of neighboring devices because only direct routes are generated for VLANIF interfaces. To enable the hosts to communicate with the server, you need to configure routes from the AGG to the network segment of VLAN 20 and from the CORE to the network segment of VLAN 10. You can use static or dynamic routes. This example uses the static routes.

Procedure

1.Configure interfaces of the ACC, AGG, and CORE, add interfaces to VLANs, and enable user packets form VLAN 10 and VLAN 20 to be transparently transmitted to the AGG and CORE respectively.

lConfigure ACC1.

#

sysname ACC1

#

vlan batch 10

#

interface GigabitEthernet0/0/1 //Add this interface to VLAN 10.

port link-type access

port default vlan 10

#

interface GigabitEthernet0/0/2//Enable packets from VLAN 10 to be transparently transmitted to the AGG.

port link-type trunk

port trunk allow-pass vlan 10

#return

The configuration of ACC2 is similar. The difference is that the interface is added to VLAN 20 and packets from VLAN 20 are transparently transmitted.

2.Configure an IP address for VLANIF 10 on the AGG as the gateway address of hosts, configure an IP address for VLANIF 20 on the CORE as the gateway address of the server, and configure an IP address for VLANIF 30 to implement interworking between the AGG and CORE.

The hosts cannot ping the server because the AGG has no route to the network segment of 192.168.1.0/24.

3.Configure static routes on the AGG and CORE.

lConfigure the AGG.

ip route-static 192.168.1.0 255.255.255.0 10.10.30.2

lConfigure the CORE.

ip route-static 10.1.1.0 255.255.255.0 10.10.30.1

Tip: For logical interfaces such as VLANIF interfaces and Eth-Trunks, the next hop address must be specified in the static route. This is because the logical interface often has many member interfaces, and there are many next hops.

After the configurations are complete, ping the server from hosts.

The hosts can ping the server. The configuration is successful.

I finish the VLAN communication. For more information about VLAN technology, see the next issue.

This issue describes VLAN assignment modes and applicable scenarios, and mainly describes the configuration and scenario of interface-based assignment.

Third issue

[All About Switches - Beginner]

VLAN Communication

This issue describes main technologies and applicable scenarios of inter-VLAN communication, including the VLANIF interface, sub-interface, and super-VLAN. This issue also describes common VLANIF interface configuration.

Fourth issue

[All About Switches - Beginner] VLAN Isolation

This issue describes main technologies and applicable scenarios of VLAN isolation, such as MUX VLAN and ACL.

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:

Politically sensitive content

Content concerning pornography, gambling, and drug abuse

Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy

Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

* Including Third Party’s Trade Secret or No:YesNo？

Third Party’s Trade Secret

Third Party’s Trade Secret refers to Third Party’s (other than Huawei’s) technical or commercial information which is unknown to the public, with commercial value, and kept confidential by Third Party. It may include without limitation Price Information, Roadmap, Commercial Authorization, Core Algorithm and Source Code. Should you have any questions, please contact e.support@huawei.com.

If the attachment button is not available, update the Adobe Flash Player to the latest version!